cookpad / omniauth-rails_csrf_protection

In the railtie, we assign a new token verifier to a global config value:

omniauth-rails_csrf_protection/lib/omniauth/rails_csrf_protection/railtie.rb

OmniAuth.config.request_validation_phase = TokenVerifier.new

Omniauth doesn't protect against concurrent calls to this global object (omniauth/strategy.rb):

      OmniAuth.config.request_validation_phase.call(env) if OmniAuth.config.request_validation_phase

TokenVerifier#call sets an ivar on this global object, before calling verified_request?:

omniauth-rails_csrf_protection/lib/omniauth/rails_csrf_protection/token_verifier.rb

Lines 30 to 36 in eed9037

    
           def call(env) 
        
             @request = ActionDispatch::Request.new(env.dup) 
        
             unless verified_request? 
        
               raise ActionController::InvalidAuthenticityToken 
        
             end 
        
           end

In a multi-threaded app, two threads might update @request before either thread is able to evaluate verified_request?. (With fibers, this should be safe... so long as no fiber transfers are triggered by ActionDispatch::Request.new, verified_request?, TracePoint, etc.)

What do you think? Am I missing something that would make this safe?

	def call(env)
	@request = ActionDispatch::Request.new(env.dup)

	unless verified_request?
	raise ActionController::InvalidAuthenticityToken
	end
	end

Is TokenVerifier#call reentrant?